From 86a394d1aa7d3924f23203d914cf719813a3f2c7 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Pialasse <jpp@koozali.org>
Date: Tue, 31 Dec 2024 03:38:10 -0500
Subject: [PATCH] * Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org>
 11.0.0-8.sme - add X-Content-Type-Options nosniff [SME: 12835] - add Strict
 Transport Security support HSTS [SME: 12815] - add X-Frame-Options SAMEORIGIN
 Header to prevent clickjacking [SME: 12816] - add referrer-Policy same-origin
 [SME: 12817] - add OCSP Stapling support [SME: 12819] - add CSP
 Content-Security-Policy support [SME: 9567] - add .well-known and
 .well-known/security.txt [SME: 12818]

---
 .../httpd/conf/httpd.conf/VirtualHosts/12HSTS | 15 -----------
 .../httpd.conf/VirtualHosts/28security.txt    |  2 +-
 .../httpd/conf/httpd.conf/VirtualHosts/29HSTS | 26 +++++++++++++++++++
 .../httpd/conf/httpd.conf/VirtualHosts/30csp  | 22 ++++++++--------
 4 files changed, 38 insertions(+), 27 deletions(-)
 delete mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS
 create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/29HSTS

diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS
deleted file mode 100644
index 4762ad9..0000000
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    # return if not SSL
-    return "    # skipping SSL certificate\n" unless $port eq "$httpsPort";
-    # return unless we have a real certificate (however, here  we assume that one will not set manually a self signed one...)
-    # by the way accessing with an ip will fail.
-    #my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'}  || "disabled";
-    #return "    # HSTS  incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt); 
-    # return unless enabled for domain
-    return "    # HSTS disabled\n"; unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
-    # if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
-    my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
-    # default to 1 years in second to access to preload; suggested 2 years.
-    my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
-    $OUT = 'Header always set Strict-Transport-Security "max-age=$age; includeSubDomains $preload' ;
-}
diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt
index c2ce376..1c10f92 100644
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt
@@ -7,6 +7,6 @@
     $OUT = '';
         if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
         {
-            $OUT .= "    RewriteRule ^/.well-known/security.txt\$)    https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
+            $OUT .= "    RewriteRule ^/.well-known/security.txt\$    https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
         }
 }
diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/29HSTS b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/29HSTS
new file mode 100644
index 0000000..b6f34fb
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/29HSTS
@@ -0,0 +1,26 @@
+{
+    use esmith::DomainsDB;
+    my $domains = esmith::DomainsDB->open_ro;
+
+    # return if not SSL
+    return "    # skipping SSL certificate\n" unless $port eq "$httpsPort";
+
+    # return unless we have a real certificate (however, here  we assume that one will not set manually a self signed one...)
+    # by the way accessing with an ip will fail.
+    my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'}  || "disabled";
+    return "    # HSTS  incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt);
+
+    # return unless enabled for domain
+    return "    # HSTS disabled\n" unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
+
+    # if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
+    my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
+
+    my $includeSubDomains = (${'httpd-e-smith'}{HSTSsubdomain} eq 'enabled')? "; includeSubDomains" : "";
+    $includeSubDomains = "; includeSubDomains" if ($preload eq "; preload");
+
+    # default to 1 years in second to access to preload; suggested 2 years.
+    my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
+
+    $OUT = '    Header always set Strict-Transport-Security "max-age='.$age.' '.$includeSubDomains.' '.$preload.'"' ;
+}
diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp
index fb966a4..527d804 100644
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp
@@ -1,11 +1,11 @@
-{
-    use esmith::DomainsDB;
-    my $db = esmith::DomainsDB->open_ro;
-    my $CSP = $db->get_prop($virtualHost, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost;  style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
-    return  "    # CSP disabled for this host\n" if ($CSP eq "disabled");
-    if ($CSP ne '')
-    {
-    $OUT .= "    # Content-Security-Policy; only if not set by content\n";
-    $OUT .= "    Header setifempty Content-Security-Policy \"$CSP\"\n";
-    }
-}
+{
+    use esmith::AccountsDB;
+    my $accounts = esmith::AccountsDB->open_ro;
+    my $CSP = $accounts->get_prop($virtualHostContent, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost;  style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
+    return  "    # CSP disabled for this host\n" if ($CSP eq "disabled");
+    if ($CSP ne '')
+    {
+    $OUT .= "    # Content-Security-Policy; only if not set by content\n";
+    $OUT .= "    Header setifempty Content-Security-Policy \"$CSP\"\n";
+    }
+}